IBM Support

Potential Security Concerns with WebSphere Application Server Version 6.0 and Version 6.1

Flashes (Alerts)


Abstract

There are potential security concerns with WebSphere Application Server Version 6.0 and Version 6.1.

Content

WebSphere Application Server Version 6.0 runs on IBM SDK Java 2 Technology Edition Version 1.4.2.
IBM SDK Java 1.4.2 is unsupported and there were no Oracle CPU security fixes after February 2013. Therefore, IBM is unable to deliver further security fixes for this version. The WebSphere Application Server version is tied specifically to the shipped Java version. The SDK major version cannot be updated or modified for compatibility and licensing reasons.


WebSphere Application Server Version 6.1 runs on IBM SDK Java 2 Technology Edition Version 5 (also known as Version 1.5). IBM SDK Java 5.0 is unsupported and there were no security fixes after October 2015. Therefore, IBM is unable to deliver further security fixes for this version.
The WebSphere Application Server version is tied specifically to the shipped Java version. The SDK major version cannot be updated or modified for compatibility and licensing reasons.


In addition to the concerns regarding the IBM SDK Java versions used, WebSphere Application Server version 6.0 and 6.1 rely on old encryption standards that are no longer considered adequate. As a result, there is an increased security risk for clients staying on these old releases.

For example, the discovery of the POODLE vulnerability prompted IBM and other vendors to disable SSLV3 by default. Additional exploits such as FREAK, Bar Mitzvah, and LogJam have further reduced the pool of encryption standards not known to be vulnerable. As a result, IBM has removed the RC4 and RSA ciphers by default. It is likely that this trend will continue. Many of these vulnerabilities may be in the SDK itself and not WebSphere Application Server leaving IBM with no ability to remediate the vulnerabilities.


Given these security risks, Service Extension contracts are no longer available for WebSphere Application Server Version 6.0 and no service Extension contracts after September 2016 will be available for WebSphere Application Server 6.1. IBM Strongly recommends that any customer using WebSphere Application Server 6.0 and 6.1 should upgrade to a higher version preferably WebSphere Application Server 8.5.5.x.

Refer to this link for the IBM SDK Java Lifecycle: http://www.ibm.com/developerworks/java/jdk/lifecycle/

Refer to this link for information on SHAwithRSA Certificates: http://www-01.ibm.com/support/docview.wss?uid=swg21959568

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"6.1;6.0.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSCKBL","label":"WebSphere Application Server Hypervisor Edition"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
25 September 2022

UID

swg21966229

Page Feedback